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Preface 


This user guide introduces the Qualys Scanner Appliance. The Scanner Appliance offers 
Qualys users the ability to extend their use of the service to assess the security of internal 
network systems, devices and web applications. 


Note: Your use of the Qualys Scanner Appliance is subject to the terms and conditions of 
the Qualys Service User Agreement. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). 


For more information, please visit www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Get Started 


Welcome to the Qualys Scanner Appliance, an option with the Qualys Cloud Platform 
from Qualys, Inc. With the Qualys Scanner Appliance, you can assess internal network 
devices, systems and web applications. The Scanner Appliance is a robust, scalable 
solution for scanning networks of all sizes including large distributed networks. 


It's easy to set up a Scanner Appliance within your network. Let's get started! 
Before you begin 
Best Practices for internal scanning 


Quick Start 


Interested in Virtual Appliances? 


Qualys Virtual Scanner Appliance is packaged and qualified for deployment on a 
variety of virtualization and cloud platforms. Please contact your TAM or Qualys 
Support if you're interested in adding Virtual Appliances to your license. 


Desktop/Laptop: VMware Workstation, Player, Fusion, Oracle VirtualBox 
Client/Server: VMware vCenter/vSphere, Citrix XenServer, Microsoft Hyper-V 


Cloud: Amazon EC2 - Classic, Amazon EC2 - VPC, Microsoft Azure, Google GCE, 
OpenStack 


Learn more 


Qualys Virtual Appliance: Platform Qualification Matrix 
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Before you begin 


Check package accessories 


Your starter kit package should contain these components. If any components are missing 
or damaged, please contact Qualys Support. 


Qualys Scanner Appliance User Guide 


AC power cord 
CAT6 cable 


Rack screws (quantity 4) - 10-32 x 3/4", Phillips, black matte, with washer 
USB-to-RS232 converter cable 


Network requirements / configuration 


Bandwidth Minimum recommended bandwidth connection of 
1.5 megabits per second (Mbps) to the Qualys Cloud 
Platform. 

Outbound HTTPS Access The local network must be configured to allow outbound 


HTTPS (port 443) access to the Internet, so that the 
Scanner Appliance can communicate with the Qualys 
Cloud Platform. 


Network Mode By default when you deploy a Scanner Appliance it will be 
in IPv4+v6 network mode. If your network is configured in 
a way that only IPv6 addresses can be used, then you'll 
need to switch to IPv6-only mode. See Enable IPv6-only 
Mode. 


Appliance Access to Qualys The Scanner Appliance must be able to reach certain 
Cloud Platform infrastructure located at the Qualys Cloud Platform where 
your Qualys account is located. 


Tip - Log into your account and go to Help » About to see 
the Qualys Cloud Platform URLs. 


Appliance Access to The IP addresses for the hosts to be scanned must be 

Target Host IPs accessible to the Scanner Appliance. The Appliance must 
be able to resolve external DNS for the hostnames to be 
scanned. 


LAN Interface is Default The LAN interface services both scanning traffic and 
management traffic to the Qualys Cloud Platform, unless 
split network configuration is defined for the Appliance. 
See Split Network Configuration. 
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VLAN Support 


VLAN configuration options: 1) If you have connected the 
LAN interface to a 802.1q trunked port and need your 
Scanner Appliance to use VLAN tags on the LAN default 
network, enter the VLAN tag number using the Appliance 
console. 2) For any Appliance, you can choose option 1) 
and also configure more VLANs (to be used for scanning) 
using the Qualys user interface. 


DHCP or Static IP 


By default the Scanner Appliance is pre-configured with 
DHCP. If configured with a static IP address, be sure you 
have the IP address, netmask, default gateway, primary 
DNS and WINS server (if appropriate). 


Proxy Support 


The Scanner Appliance includes Proxy support with or 
without authentication — Basic or NTLM. Proxy-level 
termination (as implemented in SSL bridging, for example) 
is not supported. SOCKS proxies are not supported. 


WINS Support 


If your network is running Windows Internet Naming 
Service (WINS), the Scanner Appliance needs to use it for 
host name resolution during scanning. For an Appliance 
configured with DHCP, please be sure your WINS server IPs 
(primary and secondary) are added to your DHCP subnet 
configuration using “option netbios-name-servers WINS1, 
WINS2;”. For an Appliance with a static IP address, the 
WINS servers are defined with the static IP settings using 
the Appliance console. 


Network Time Protocol (NTP) 


The Scanner Appliance syncs the time from the Qualys 
SOC (Security Operations Center) for your 
account/location automatically. For this reason, there is 
nothing you need to configure for NTP. 


Best Practices for internal scanning 


Here are our best practices related to internal scanning. 


Avoid scanning through a firewall from the inside out 


Problems can arise when scan traffic is routed through the firewall from the inside out, Le. 
when the scanner Appliance is sitting in the protected network area and scans a target 
which is located on the other side of the firewall. We recommend placing scanner 
Appliances in your network topology in a way that scanning and mapping through a 
firewall from the inside out is avoided if possible. 


Learn more 


Scanning through a firewall 
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Check network access to scanners 


Go to Help > About in the application. The Scanner Appliances section lists URLs at the 
SOC (Security Operations Center) for your account/location. Your Scanner Appliances 
must be able to contact these URLs on port 443. For Private Cloud Platform, the URLs 
displayed are appropriate to your local on-site SOC. 


Learn more 


How to check network access to scanners 


Consult your network group for scanner placement 


t's highly recommended that you work with your network group to determine where to 
place Scanner Appliances in an enterprise network environment. Some things to consider: 
place Scanner Appliances as close to target machines as possible, and make sure to 
monitor and identify any bandwidth restricted segments or weak points in the network 
infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load 
balancers) could result in degraded performance so you may consider using our VLAN 
tagging feature (VLAN trunking) to circumvent layer 3 devices to avoid potential 
performance issues. 


Quick Start 


Once you complete the Quick Start you’re ready to start scanning! It takes just a couple of 
minutes. It’s important that you complete the steps in the order shown. 


Step 1 - Connect the Scanner Appliance to the Network 


Qualys strongly recommends the Scanner Appliance be plugged into a Managed Power 
Supply. On the rare occasion where the Scanner Appliance may need to be rebooted, 
utilizing the MPS will allow for remote rebooting in unmanned or high security areas. 


Set Up Network Connection 


n 


The Scanner Appliance connects like any other computer to a switch on your network. 


To set up the network connection, follow these steps: 


e Connect one end of an Ethernet cable to the Ethernet LAN port on the Scanner 
Appliance (back panel). 


e Connect the other end of the Ethernet cable to a 10BASE-T or 100BASE-TX or 
1 Gigabit switch on your network. 
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Remote Console Interface Set Up (optional) 


The Remote Console interface supports remote configuration and management of the 
Scanner Appliance using a VT100 terminal, such as Windows HyperTerminal. 


Remote Session on __ Terminal USB-to-RS232 Scanner 


ser — 
Use Terminal Server Server Converter Cable Appliance 


Figure 1-1. Set up for Remote Console Interface 


A USB-to-RS232 converter cable allows you to connect to their terminal server via network 
cable. Qualys recommends the following USB-to-RS232 converter cable: 


IOGEAR USB-Serial Model GUC232A 
Full specifications: http://www.iogear.com/product/GUC232A/ 


Keystroke File Not Supported: The Remote Console interface is not intended for uploading 
the whole scanner configuration by means of a pre-defined “keystroke file.” Uploading 
such a file will result in lost characters and incorrect configuration. 


To set up the Remote Console interface, follow these steps: 


1 Be sure the terminal server is up and running. Also check the terminal server 
settings. The following settings are required. Note - Stop Bits must be set to 2. 


Port Setting Value 
Bits per second (Baud rate) 9600 
Data Bits 8 
Parity None 
Stop Bits 2 
Flow Control None 
Terminal Emulation VT100 


2 Connect one end of the USB-to-RS232 converter cable to a USB port on the Scanner 
Appliance (back panel). 


3 Connect the other end of the USB-to-RS232 converter cable to your terminal server 
via network cable. 
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4 Connect the Scanner Appliance (see Step 2 - Power On the Scanner Appliance) 


Note: In the case where the Scanner Appliance is already powered on, you must 
reboot the Scanner Appliance before taking the next step and making any 
configurations. To reboot, press the Down arrow on the LCD interface until the 
SYSTEM REBOOT message appears and then press ENTER. Please make sure that 
the Scanner Appliance has fully rebooted (this takes up to 3 minutes). 


Press the ENTER key on the VT100 terminal’s keyboard to display the Remote 
Console interface. You will notice the MAC address for the Scanner Appliance 
appears. 


Step 2 - Power On the Scanner Appliance 


To power on the Scanner Appliance, follow these steps: 


1 


Connect the AC power cord into the Power Supply Socket. 


Note: Qualys strongly recommends the Scanner Appliance be plugged into a 
Managed Power Supply. On the rare occasion where the Scanner Appliance may 
need to be rebooted, utilizing the MPS will allow for remote rebooting in 
unmanned or high security areas. 


Press the power button on the back panel. Be sure that the power button has a 
green backlight. 


Welcome to Qualys appears in the Scanner Appliance interface followed by other 
informational messages during the boot process which takes approximately two 
minutes. These messages appear in the order shown: 


Welcome to Qualys 

Qualys Scanner is starting up... 
Filesystem check in progress... 
Qualys Scanner is coming up... 


Once the Scanner Appliance makes a successful connection to the Qualys Cloud 
Platform you'll see the activation code message. 


ACTIVATION CODE — The activation code for the Scanner Appliance is displayed. 
A unique code is assigned to each Appliance. Make a note of the activation code 
and then go to enter the activation code. 


You might see an appliance configuration error instead. This will be reported if the 
Scanner Appliance did not make a successful connection to the Qualys Cloud 
Platform using its current network settings. The error must be resolved before you 
go to Step 3. Need help? See Troubleshooting. 


Tip - If you've set up the Remote Console, it may be necessary to press the ENTER 
key on the VT100 terminal's keyboard to display the Remote Console interface. 
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Complete the Network Configuration (default IPv4+v6 mode) 


Enable the network configurations for the Scanner Appliance, as appropriate, in the order 
listed. One or more configurations may be required. Any error must be resolved before 
going to Step 3. Refer to Troubleshooting for help with resolving any errors. 


Configuration Options For information ... 

A Static IP Address See “Configure Static IP Address” on page 29 

B Proxy Support See “Proxy Configuration” on page 34 

C Split Network See "Enable DHCP on the WAN Interface" on page 40 
Configuration and "Enable DHCP on the WAN Interface" on page 40 
using DHCP 

D Split Network See "Enable DHCP on the WAN Interface" on page 40 
Configuration and "Enable Static IP on the WAN Interface" on page 41 


using a Static IP Address 


Use the options chart below to determine the configurations needed. 


DHCP Static IP DHCP Static IP 
w/o Proxy w/o Proxy with Proxy with Proxy 
Standard Config no action A B A&B 
Split Netw. Config: C A&C B&C A,B,&C 
DHCP on WAN 
Split Netw. Config: D A&D B&D A,B,&D 
Static IP on WAN 


The Scanner Appliance supports VLAN interface configuration (802.1Q). For information, 
see Configure VLANs and Static Routes. 


You may see an appliance configuration error one or two more times, depending on how 
many configurations are needed. For example, if the Scanner Appliance is installed on a 
network with DHCP and a Proxy server, and you want split network configuration with 
DHCP, you enable options B and C. After you enable option B, you'll see another error 
prompting you to make another configuration. 


Complete the Network Configuration (IPv6-only mode) 


If your network is configured to only allow IPv6 addresses, then you'll need to switch to 
IPv6-only network mode and make network configuration settings. See Enable IPv6-only 
Mode for details on how to reset the Scanner Appliance to IPv6-only mode, then configure 
your network, VLANs and proxy before continuing to the next step. 
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Step 3 - Activate the Scanner Appliance 


You will need a Qualys user account with the role of Manager or Unit Manger. Check to be 
sure that you have your account information. 


1 


Open a browser and go to the platform URL where your account is located. Please 
refer to your registration email containing your platform URL and login 
credentials. A Manager or Unit Manager account is required. 


On the Qualys LOGIN page, enter your user name (login) and password, and then 
click LOGIN. You are prompted to review and accept the licensing agreement when 
you log into your account for the first time. Your Qualys Home page appears upon 
successful login. 


Select VM/VMDR from the application picker. Then go to Scans > Appliances. 


Select New > Scanner Appliance and enter the activation code for the appliance 
as it appears in the ACTIVATION CODE screen in your Appliance’s user interface. 
Note: The activation code is shown only when the Appliance has not been 
activated yet. 


Unit Manager only) From the Add To menu, select an asset group that you want 
to add the Scanner Appliance to. This will make the Appliance available to users 
in your business unit. 


Click Activate. Then the Scanner Appliance attempts to login to the Qualys Cloud 
Platform. 


Note: It may take a few minutes for the Scanner Appliance activation to occur. If 
you prefer not to wait, complete the activation manually by restarting the Scanner 
Appliance. Just press the Down arrow until the SYSTEM REBOOT screen appears 
and then press ENTER. When REALLY REBOOT SYSTEM? appears press ENTER. 


The SCANNER APPLIANCE NAME-IP ADDRESS message appears after the Scanner 
Appliance makes a successful login to the Qualys Cloud Platform. Do you see 
another message instead? See Troubleshooting and we'll help you with this. 


That’s all there is to it! 


You are ready to start scanning with your Qualys Scanner Appliance! You'll see the 
Scanner Appliance name and IP address in the interface (LCD or Remote Console), this 
indicates you have completed the Quick Start, the Scanner Appliance has been added to 
your subscription. 


Tip - Before you launch scans using the Scanner Appliance, we recommend you log into 
the Qualys user interface and check the Appliance status on the appliances list. 
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Scanner Appliance Name and IP Address 


The Scanner Appliance name and IP address appear as shown below. 


Appliance Name is_qualys_ez 
IP Address 194.55.109.12 


Sample 


= 


The Scanner Appliance name displayed is "is username", where username is your 
Qualys user name. The name can be changed using the Qualys user interface. 


5 


l'he IP address is available for information purposes only. The Scanner Appliance 
is remote controlled by the Qualys Cloud Platform, and the Appliance does not 
allow incoming logins or connections from the network. If split network 
configuration is enabled, the IP address for the LAN interface is displayed. 


The Qualys Cloud Platform indicator for your account appears in the lower right 
corner. 


Proper Shutdown 


Just go to the LCD display on the front panel. Press the down arrow until SYSTEM 
SHUTDOWN appears, and then press ENTER. When you see REALLY SHUTDOWN SYSTEM? 
press ENTER. You'll notice the Scanner Appliance lights and LEDs are turned off. Then you 
can safely disconnect the power supply. 


Don't want to use the LCD interface? No problem, you can press the power button on the 
back panel instead. 
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We recommend one more thing 


Check your Scanner Appliance status in Qualys portal. Go to Scans > Appliances and 
select your Appliance. You'll see details in the preview pane. 


(3) Scans | Scans Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 
A - ID LAN IP LANIPv6 Polling Scanner Signatures Last Update 
iscanner2 [~] 20222875170839 10.100.14.114 — 180 seconds 6.7.20-1 22245.2 09/28/2012 at 11:04:51 (GMT-0700) | © 
Ecannert 20260419934240 10.100.14.130 — 65 seconds 67131 A 222331 A 10/01/2012 at 14:26:57 (GMT-0700) | © 
Preview | Actions v 
scanner2 
ID: 20222875170839 
Owner: Patrick Slimmer (Manager) | Connected on: 10/03/2012 at 11:25:04 (GMT-0700) | Verfied on: 10/03/2012 at 11:30:01 (GMT-0700) | Connected 


Summary: The appliance is online and it: 


Hearbeat Checks Missed Latest Scanner Version Latest Signature Version Available Capacity 


0 6.7.20-1 2.2.245-2 82% ^" 


© 


1) # tells you your Scanner Appliance is ready. Now you can start internal scans! Next to 
the status you'll see the busy icon is greyed out until you launch a scan, then it looks like 
this e». 


You might also check out: 


2) zx tells you that your Scanner Appliance is a Physical Appliance and @ means it's a 
Virtual Appliance. 


3) Latest software versions - these are installed automatically as part of the activation. 


4) The available capacity will be 100% until you launch a scan. You can come back and 
check on this at any time. 
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Scanner Appliance Tour 


This section gives you a tour of the Qualys Scanner Appliance, its features, basic operation 
and configuration options. 


A Quick Look at the Appliance 
Navigating the Appliance UI 

System Reboot and Shutdown 
Configure VLANs and Static Routes 
Configure Static IP Address 
Configure IPv6 Address for Scanning 
Proxy Configuration 

Split Network Configuration 
Ethernet Port Configuration 
Changing the Network Configuration 
Enable IPv6-only Mode 

Network Settings in IPv6-only Mode 
Switch Between Modes 


Reset All Network Settings 
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A Quick Look at the Appliance 


Front Panel 


You'll see Welcome to Qualys in the LCD display when you connect the Appliance to the 
network for the first time. After you've successfully completed the Quick Start steps for 
your Scanner Appliance, you'll see the Scanner Appliance name and IP address. 


Use the keypad to enter information and respond to prompts. 
e Left and Right arrow buttons move the cursor to left/right in an entry field. 


e Upand Down arrow buttons scroll through menu options, and scroll through 
characters in an entry field. 


e ENTER button, in the center, is used to confirm entries and move to the next 
screen. 


Tell me about the LEDs. 
e S1 tells you a Qualys scan is in progress on the Scanner Appliance. 
e S2tells you a software update to the Scanner Appliance is in progress. 


e S3is not used. 


Back Panel 


The Appliance's back panel includes: the power socket, the Ethernet LAN port, the 
Ethernet WAN port, two USB 2.0 ports and two USB 3.0 ports. 
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Power socket - Use to connect the power connector to the Appliance. 


Power button - Use to power on the Appliance. A green light indicates the Appliance is 
turned on. 


LAN/WAN ports - Use to connect the Appliance to a hub or switch on your network using 
a straight through CAT6 twisted pair Ethernet cable. The LAN port is required. The WAN 
port is only required if you choose the split network configuration option. 


USB ports - Connect a USB-to-RS232 converter cable to a USB port if you want to use the 
optional Remote Console interface (any port may be used). 


Appliance UI 


The Scanner Appliance has a user interface for configuration and management. You can 
choose to use the LCD display and keypad on the front panel, or the optional Remote 
Console interface. Both the LCD display and Remote Console offer the same functionality 
and share the same menus and navigation (ENTER key and arrows) for a consistent user 
experience. 


The Remote Console interface supports remote configuration and management of the 
Scanner Appliance using a VT100 terminal, such as Windows HyperTerminal. See Remote 
Console Interface Set Up (optional). 
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Navigating the Appliance UI 


Main Menu 


To access the Scanner Appliance main menu, press ENTER when the Scanner Appliance 
name and IP address are displayed. The first menu option displayed is SETUP NETWORK. 


SETUP 
NETWORK 


ENABLE PROXY ss 


RESET NETWORK eA 
SETTINGS X 


SYSTEM 
SHUTDOWN 


VERSION INFO 
«number» 


EXIT THIS 
MENU 


Figure 2-1. Scanner Appliance Main Menu 


To move up through the menu options, press the Up arrow. To move down through the 
menu options, press the Down arrow. To select an option, press ENTER. To exit the main 
menu, press the down arrow button until the EXIT THIS MENU option appears, and then 
press ENTER. 
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Navigation Indicators 


Each Scanner Appliance screen displays one or more indicators in the top right corner, 
indicating the navigation options available from the current screen. 


LCD Remote Description 
Button Console 
Key 
@ ENTER Confirm a selection. After you press ENTER, another 
screen appears. 
> RIGHT Move the cursor to the right in an entry field. 
4 LEFT Move the cursor to the left in an entry field. 
UP Used to: 
A 


— Increase the value in an entry field 
— Move up through menu options 
— Cancel a confirmation message 


DOWN Used to: 
v — Decrease the value in an entry field 
— Move down through menu options 


Note these important guidelines for using buttons: 1) Press one button at a time, 2) Do not 
hold down an arrow button (except as noted in guideline 3), instead press the arrow 
multiple times, and 3) When entering a user name or password, you can hold down the Up 
and Down arrow buttons to scroll through characters quickly. 


Entering Information 


The Scanner Appliance user interface (LCD and Remote Console) allow users to enter 
information in the fields provided using arrow keys. The Left and Right arrows move the 
cursor to the left and right and the Up and Down arrows are used to scroll through 
characters. Some fields allow certain characters to be entered. The character restrictions 
are described below. 


Up and Down Arrows 


Using the LCD user interface use the Up and Down arrows to enter characters in a field. 
Using the Remote Console interface you have the option to use the Up and Down arrows 
or to use your keyboard to enter characters. 


In numeric entry fields, you press the Up and Down arrows to select a value between 
0 and 9. When a numeric entry field is first displayed, a default value appears. 
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In text entry fields where you enter a user name and password, you press the Up and 
Down arrows to select a character (numeric, alphabetic, space, underscore or special 
character). In these fields, you can hold the Up arrow or the Down arrow to scroll through 
the available characters. When a text entry field is first displayed, the text entry field is 
blank (filled with spaces). 


Scrolling through Characters 


Some fields allow you to select characters. Press the Up arrow to scroll through characters 
in ascending order. Starting from the space character, the characters appear in this order: 
lowercase letters (a to z), space, numbers (0 to 9), underscore, special characters (for Proxy 
user name and password only), uppercase letters (A to Z). 


Press 
Up Arrow 


«space abcdefghijkimnopqrstuvwxyz 


<space> 0 12 3 4 5 6 7 8 9 _ <special characters*> 


ABCDEFGHIJKLMNOPQRSTUVWXYZ ^J 


Figure 2-2. Scrolling characters in ascending order 


Press the Down arrow to scroll through characters in descending order. Starting from the 
space character, the characters appear in this order: uppercase letters (Z to A), special 
characters (for Proxy user name and password only), underscore, numbers (9 to 0), space, 
lowercase letters (z to a). 


Press 
Down Arrow 


<space> ZYXWVUTSRQPONMLKJIHGFEDCBA 


«special characters*> _ 9 8 765 4 3 2 1 0 «space» 


zyxwvutsrqponmlikjihgfedcba 


Figure 2-3. Scrolling characters in descending order 
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Inserting and Deleting Characters 


Some fields allow you to insert and delete characters. This is supported for PROXY HOST 
and WINS DOMAIN, and is especially useful when updating long FQDN values or IPv6 
addresses (when in IPv6-only mode). Go to the field you need to modify and press the 
Down arrow to activate insert/delete mode. Press the Down arrow again to navigate 
through the menu options. 


e WhenDelete Previous? appears, scroll through the characters and press Enter 
to delete the character in the previous position. This option does not appear for 
the first character in the field. 


e When Insert Character? appears, press Enter and then type or scroll through 
the characters to insert a character at the current position. 


e When Done editing? appears, press Enter to confirm. Or press the Up arrow to 
continue with edits to the field value. 


Space Character 


When a text field entry contains fewer characters than the character positions on the 
interface screen, you must select the space character for the unused positions, before or 
after the field entry. Only the characters associated with the field entry and space 
characters may be included in a text field entry. 


Embedded spaces are not permitted in text field entries. 


The space character may be used to remove characters when editing text fields, except the 
Proxy password. To remove a character in an entry field using the LCD user interface, 
move the cursor on the character (using the Left and Right arrows), select the space 
character (using the Up and Down arrows) and then press ENTER. Any space characters 
entered appear in the interface screen until the next time you revisit the screen. 


IPv4 Addresses 
Entry fields for IP addresses are pre-filled with values in this format: nnn.nnn.nnn.nnn 


The IP address format displays values for each character position in all octets. When 
entering an IP address, you replace the three “n” digits for each octet as appropriate. If an 
octet has less than three digits, then the octet must include leading zeros. For example, to 


specify the IP address “194.55.176.2”, you input the IP address as “194.055.176.002”. 


IPv6 Addresses 


When using IPv6-only mode, you'll need to enter IPv6 addresses for certain network 
configurations. The Scanner Appliance supports IPv6 addresses in expanded and 
compressed formats. For example, enter an IPv6 address in expanded format like 
2001:470:8418:ffe:250:56ff:feb3:b89 or in compressed format like 
2001:db8:3c4d:15:0:d234:3eee:: 
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Windows Domain Name 


The WINS DOMAIN field in the static IP address configuration allows you to enter the 
domain name (for example, mydomain.com). The domain name entry can have a 
maximum length of 32 characters. These characters are allowed: uppercase letters, 
numbers, underscore(_), and period (.). 


Eqs Bo9 oe AB = 


Press Press 
Up Arrow Down Arrow 


Figure 2-4. Special characters in the Windows domain field 


The screen displays 16 characters of the WINS DOMAIN field entry and it scrolls left. For 
example, the first character of the domain name is hidden when the 17th character is 
entered. As each additional character is entered, the domain name scrolls left. 


Tips - The space character may be used to remove characters when editing the domain 
name entry. There’s a shortcut for clearing a domain name entry. Just press the Left arrow 
and Right arrow at the same time. 


Proxy User Name 


For the Proxy user name in the PROXY USER field you may enter a maximum of 32 
characters including lower case letters, upper case letters, numbers, and underscore. 
These special characters can be used: underscore (_), dash (-), backslash (\), period (.), at 


sign (@). 


— 489 -VG.AB.. Ca 
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Figure 2-5. Special characters in the Proxy user field 


The screen displays 16 characters of the PROXY USER field entry, and it scrolls left. For 
example, the first character of the Proxy user name is hidden when the 17th character is 
entered. As each additional character is entered, the Proxy user name scrolls left. The 
Space character may be used to remove characters. 


The format of a Proxy user entry is: “domain\user”. If there is a backslash in the middle of 
the entry, the Appliance interprets the string before the backslash as the domain name. 
No double backslashes (\\) are needed in front of the "domainNuser" format. 
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Proxy Password 


n 


The PROXY PASSW allows you to enter a maximum of 16 characters including lower case 
letters, upper case letters, numbers, and underscore. Many special characters are allowed. 
These characters are shown in ascending order in the table below. Using the LCD 
interface, to scroll through characters 1 to 30, press the Up arrow. To scroll through 
characters in descending order, press the Down arrow. 


Special Characters in the PROXY PASSW field 


Order Character |Name Order Character Name 

(ascending) (ascending) 

1 E underscore 16 + plus 

2 - hyphen 17 = equal 

3 \ backslash 18 parenthesis 
left 

4 / slash 19 parenthesis 
right 

5 | bar 20 brace left 

6 - tilda 21 brace right 

7 | exclamation 22 bracket left 

8 ? question 23 bracket 
right 

9 Q atsign 24 < less 

10 # number sign 25 > greater 

11 $ dollar 26 ; semicolon 

12 % percent 27 E double 
quote 

13 ^ asciicircum 28 : grave 

14 & ampersand 29 ; comma 

15 b asterisk 30 : period 
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System Reboot and Shutdown 


It is important to follow the proper system shutdown instructions described below. If you 
do not follow these instructions, file system corruption may occur. 


How to reboot the system 
1 With the Scanner Appliance name and IP address displayed, press ENTER. 


2 When the SETUP NETWORK menu option appears, press the Down arrow to 
navigate through the menu options. 


3 When the SYSTEM REBOOT menu option appears, press ENTER to select the option. 
4 When the REALLY REBOOT SYSTEM? prompt appears, press ENTER to confirm. 


Review the confirmation messages starting with REBOOTING SYSTEM message. The 
SCANNER APPLIANCE NAME-IP ADDRESS is displayed after the Scanner Appliance makes 
a successful connection to the Qualys Cloud Platform. This message indicates the Scanner 
Appliance is ready for scanning. If another message appears you need to activate the 
Scanner Appliance or troubleshoot the issue before scanning. See Troubleshooting for 
help with resolving any errors. 
How to shutdown the system 
You can power off the system using the shutdown button or using the Appliance UI. 
Using the Appliance UI: 

1 With the Scanner Appliance name and IP address displayed, press ENTER. 


2 When the SETUP NETWORK menu option appears, press the Down arrow to 
navigate through the menu options. 


3 When the SYSTEM SHUTDOWN menu option appears, press ENTER. 
4 When the REALLY SHUTDOWN SYSTEM? prompt appears, press ENTER to confirm. 


5 Important! The Scanner Appliance should now power down within 60 seconds. 
When this message appears: “It’s now safe to unplug the box”, then you can safely 
unplug the Scanner Appliance. 
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What happens after restart? 


When you restart the Scanner Appliance, several messages appear during the startup 
process, as described below: 


1 When the system is restarted, informational messages appear in the screen during 
the boot process. These messages appear in the order shown below: 


Welcome to Qualys 

Qualys Scanner is starting up... 
Filesystem check in progress... 
Qualys Scanner is coming up... 


2 The Appliance attempts to connect to the Qualys Cloud Platform using its 
configuration. During this phase, these messages appear in the order shown 
below: 


CONTACTING QUALYS 
Filesystem check in progress... 
CONTACTING QUALYS 


3 The SCANNER APPLIANCE NAME-IP ADDRESS is displayed after the Scanner 
Appliance makes a successful connection to the Qualys Cloud Platform. This 
means your the Scanner Appliance is ready to start scanning. If another message 
appears you need to take some action before you can start scanning: 


e ACTIVATION CODE — The Scanner Appliance needs to be activated. Refer to 
the Quick Start for instructions. 


e Appliance configuration error — An error prevented the Scanner Appliance 
from making a connection to the Qualys Cloud Platform. This issue must be 
resolved before scanning. See Troubleshooting for help with resolving the 
issue. 
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Configure VLANs and Static Routes 


This is supported in IPv4+v6 network mode (the default) and IPv6-only mode. 


The Scanner Appliance supports VLAN trunking on the LAN interface for scanning traffic. 
VLAN trunking on the WAN interface is not supported. One VLAN interface (802.1Q) may 

be configured using the Scanner Appliance user interface (LCD and Remote Console). Up 

to 4094 VLANs and static routes can be defined using the Qualys web application. 


How it works - The Scanner Appliance adds VLAN tag(s) to all scanning packets following 
the 802.1Q tagging protocol. 


Configure VLAN using the Appliance UI 
A VLAN that is defined using the Scanner Appliance UI is saved on the Appliance and 
can't be edited using the Qualys UI. 


Important! After making configuration changes, be sure to complete the entire network 
configuration so that your Scanner Appliance makes a successful connection to the 
Qualys Cloud Platform. 


Configure VLAN 


To configure the Scanner Appliance with a default VLAN interface on the LAN interface, 
follow these steps: 


1 Gotothe SETUP NETWORK menu option and press ENTER to continue. 


2 Press the Down arrow one time. When the ENABLE VLAN ON LAN menu option 
appears, press ENTER to continue. 


3 When the prompt VLAN 0-4094 appears, specify the VLAN ID. The value “0000” 
appears in the screen by default. Specify the VLAN ID, and then press ENTER to 
continue. 


Change VLAN 


A default VLAN that you've added using the Scanner Appliance user interface (LCD and 
Remote Console) can be changed at any time. To do this, select the CHANGE VLAN ON LAN 
menu option from the SETUP NETWORK menu. Then enter another VLAN ID and press 
ENTER. 


Disable VLAN 


To disable a default VLAN, select the CHANGE VLAN ON LAN menu option from the SETUP 
NETWORK menu. Then enter the VLAN ID "0000" and press ENTER. After the configuration 
is disabled the ENABLE DHCP ON LAN menu option appears on the Scanner Appliance 
interface. 
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Configure VLANs / Static Routes using the Qualys UI 


Configuring VLANs and static routes is supported using the Qualys UI. Just go to the 
appliances list (Scans > Apphances) and edit the Appliance settings. The VLANs and static 
routes you add are saved with your account information on the Qualys Cloud Platform. 


You can add up to 4094 VLANs to devices with a serial number over 29000 and up to 
99 VLANs to devices with a serial number under 29000. Add up to 99 static routes. 


Don't see these settings? The VLAN trunking feature must be turned on for your account. 
Please contact Support or your Technical Account Representative if you'd like us to turn it 
on for you. 


Configure Static IP Address 


If DHCP is not on your network, you must enable the Scanner Appliance with a static 
IP address using the ENABLE STATIC IP ON LAN menu option. One of these 
configurations is required. Using IPv6-only mode? Please see Network Settings in IPv6- 
only Mode for instructions. 


Entry fields for IP addresses used in the static IP address configuration are pre-filled with 
three digits for all octets, and you must enter a value for each digit. For example, to specify 
the IP address “176.34.20.5”, you input the IP address as “176.034.020.005”. See IPv4 
Addresses for details. 


Tell me the steps 


When enabling a static IP address on the LAN interface, you must enter network 
configuration settings for the Scanner Appliance so that the Appliance can communicate 
with the Qualys Cloud Platform. Also, you have the option to enter some network settings 
for informational purposes. 


To enable a static IP address on the LAN interface for the Scanner Appliance, follow 
these steps: 


1 Goto the SETUP NETWORK menu option and press ENTER to continue. 


2 Press the Down arrow until the ENABLE STATIC IP ON LAN menu option appears. 
Then press ENTER to continue. 


3 When theCFG LAN STATIC NETWORK PARAMS? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 
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Entering parameters 


The Scanner Appliance user interface (LCD and Remote Console) allows users to enter 
information in the fields provided using the arrow keys. Use the Left and Right arrows to 
move the cursor to the left and right, and use the Up and Down arrows to scroll through 
characters. With the Remote Console interface, you have the option to enter characters 


using the VT100 terminal's keyboard. 


1 


When the LAN IP ADDR prompt appears, enter the static IP address, and then 
press ENTER to continue. 


When the LAN NETMASK prompt appears, use the Up and Down arrows to scroll to 
the desired netmask value. For information about netmask values, see Tell me 
about LAN Netmask. After selecting a netmask value, press ENTER to continue. 


When the LAN GATEWAY prompt appears, enter the gateway IP address, and then 
press ENTER to continue. 


When the LAN DNS1 prompt appears, enter the IP address for the primary DNS 
server, and then press ENTER to continue. 


When the LAN DNS2 prompt appears, enter the IP address for the secondary DNS 
server. This entry is optional. Press ENTER to continue. 


Next are three optional network settings, used for informational purposes only. 
These Appliance settings are not used to access the internal network for scanning 
or the Qualys Cloud Platform for software updates. To skip these settings, press 
ENTER three times. 


- When the LAN WINS1 prompt appears, enter the IP address for the primary 


WINS server, if any. Press ENTER to continue. 


- Wnhen the LAN WINS2 prompt appears, enter the IP address for the secondary 


WINS server, if any. Press ENTER to continue. 


- When the DOMAIN NAME prompt appears, enter the domain name for the 
DNS server (for example, mydomain.com). Press ENTER to continue. 


Whenthe REALLY SET LAN STATIC NETWORK? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 


Review the confirmation messages. The Scanner Appliance attempts to make a 
connection to the Qualys Cloud Platform using the new configuration. Upon 
Success the SCANNER APPLIANCE NAME-IP ADDRESS message appears and the 
static IP address is enabled. 
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Confirm the configuration 


When you see SCANNER APPLIANCE NAME-IP ADDRESS this means you are ready to start 
scanning. This message appears if the Scanner Appliance made a successful connection to 
the Qualys Cloud Platform using the new configuration. 


An appliance configuration error appears if the Scanner Appliance failed to make a 
connection to the Qualys Cloud Platform. A error may occur because the static IP 
parameters you entered are incorrect, or they do not match the static IP configuration on 
your network. See Troubleshooting for help with resolving the issue. 


Tell me about LAN Netmask 


When entering static network parameters, you will notice that the cursor does not appear 
after the LAN NETMASK prompt and you cannot enter characters in the entry field. At first, 
the netmask “255.255.255.000” appears. Use the Up and Down arrows to scroll through 
valid netmasks. When the appropriate netmask value appears, press ENTER to confirm. 


Possible netmask values are listed below. If you press the Down arrow, the values appear 
in this order: “255.255.255.000”, “255.255.254.000”, “255.255.252.000... If you press the 

Up arrow, the values appear in this order: “255.255.255.000”, “255.255.255.128”, 
“255.255.255.192”... 


Scrolling netmask values in the Netmask field 


Prefix Netmask value Prefix Netmask value 

/24 255.255.255.000 /9 255.128.000.000 
/23 255.255.254.000 /8 255.000.000.000 
/22 255.255.252.000 /7 254.000.000.000 
/21 255.255.248.000 /6 252.000.000.000 
/20 255.255.240.000 /5 248.000.000.000 
/19 255.255.224.000 /4 255.000.000.000 
/18 255.255.192.000 /3 224.000.000.000 
/A7 255.255.128.000 /2 192.000.000.000 
/16 255.255.000.000 /1 128.000.000.000 
/15 255.254.000.000 /30 255.255.255.252 
/14 255.252.000.000 /29 255.255.255.248 
/13 255.248.000.000 /28 255.255.255.240 
/12 255.240.000.000 /27 255.255.255.224 
/11 255.224.000.000 /26 255.255.255.192 
/10 255.192.000.000 /25 255.255.255.128 
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Interface - Enable Static IP on LAN 


(*) One option may be enabled: ENABLE VLAN ON LAN or ENABLE DHCP ON LAN. After one 
option is enabled, the other option disappears from the SETUP NETWORK menu. 
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NETWORK IP ON LAN ON LAN 
© i à 


CFG LAN STATIC 


ENABLE VLAN  (* 
ON LAN 


Main Menu NETWORK PARAMS? 
Options 
L8 und 
LAN IP ADDR (E) =ENTER 
127.000.000.001 
D zDown Arrow 
LAN NETMASK 


255.255.255.000 


LAN GATEWAY 
127.000.000.001 


— 16 


LAN DNS1 
000.000.000.000 


€ 


LAN DNS2 
000.000.000.000 


e 


LAN WINS1 
000.000.000.000 


1 18 — 


LAN WINS2 
000.000.000.000 


——19 


DOMAIN NAME 
<name> 
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Figure 2-6. User Interface for Enable Static IP on LAN 
We'll update menu options once you configure settings. Once you configure ENABLE 


STATIC IP ON LAN the option will change to CHANGE STATIC IP ON LAN. Once you 
configure ENABLE DHCP ON LAN the option will appear as RENEW DHCP ON LAN. 
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Configure IPv6 Address for Scanning 


This applies when you're in the default IPv4+v6 mode. Interested in only using IPv6? See 
Enable IPv6-only Mode. 


You have the option to configure the Scanner Appliance with an IPv6 address on the LAN 
interface - this will be used for scanning IPv6 hosts. 


How it works - Once configured scanning traffic is routed through the LAN interface - LAN 
IPv4 for scanning IPv4 hosts, and LAN IPv6 for scanning IPv6 hosts. All management traffic 
(software updates, health checks, etc) is routed through the LAN IPv4 interface. 


A few things to consider 


First go to the Appliance UI and complete the Quick Start. You must configure an 
IPv4 address on the LAN interface (using DHCP or a static IP). 


Be sure your Scanner Appliance has successfully connected to the Qualys Cloud 
Platform. 


The IPv6 Scanning feature must be enabled for your subscription. 


Tell me the steps 


1 
2 


Log in to the Qualys UI. 


Go to Scans > Appliances and edit your Scanner Appliance. You'll see the 
Appliance wizard. 


Under LAN settings select "Enable IPv6 for this scanner". You can choose 
"Automatically" and we'll do IP assignment through router advertisement, or 
choose "Static" and assign a static IP address. 


Don't see these settings? This means IPv6 Scanning is not turned on for your 
account. Please contact Support or your Technical Account Manager if you'd like 
us to turn it on for you. 


Be sure to save the Appliance settings. 
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Proxy Configuration 
Proxy configuration is supported in IPv4+v6 mode (the default) and IPv6-only mode. 


If the Scanner Appliance is behind a Proxy server, you need to enable a Proxy 
configuration using the ENABLE PROXY menu option. Authentication (Basic or NTLM) of 
the Scanner Appliance connection to your Proxy server can be enabled by configuring the 
Proxy user and password fields. 


The Scanner Appliance uses Secure Sockets Layer (SSL) protocol (HTTPS) to secure its 
connection to the Qualys web application, in a similar way that a web browser does to a 
secure web server. If the Qualys connection must pass through a Proxy server, then you 
must enable the Proxy option on the Scanner Appliance. This configuration re-directs 
Qualys outbound connections through the Proxy server. 


Your Proxy server must be configured to tunnel or pass through the SSL session to the 
Qualys web application. This ensures a secured end-to-end connection. SSL bridging or 
tunnel termination must not be configured in your Proxy server when supporting the 
Scanner Appliance. 
Tell me the steps 
To configure the Scanner Appliance with Proxy support, follow these steps: 

1 Gotothe SETUP NETWORK menu option. 


2 Press the Down arrow until the ENABLE PROXY menu option appears. Then press 
ENTER to continue. 


3 Whenthe CONFIG PROXY PARAMETERS prompt appears, press ENTER to continue. 
Or press the Up arrow two times to quit this procedure and return to the SETUP 
NETWORK menu option. 
Entering parameters 
Enter Proxy parameters using the Up and Down arrows to scroll through characters. 


1 When the PROXY HOST prompt appears, enter the Proxy server's FODN/IP address. 
The gateway IP address appears in the screen by default. Use the Scanner 
Appliance interface to enter an FQDN/IP address, and then press ENTER to 
continue. 


IPv4+v6 mode: IPv4 addresses are allowed in dotted decimal format, e.g. 
176.34.20.5 


IPv6-only mode: IPv6 addresses are allowed in expanded and collapsed formats. 


Supported characters for FODN: Upper case letters, numbers, dot (.) and hyphen (-) 
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When the PROXY PORT: prompt appears, enter the port number assigned to the 
Proxy server. Port “0443” appears in the screen by default. Confirm that the port 
number shown is correct or enter a different one, if necessary. When the correct 
port number appears, press ENTER to continue. 


Supported Characters: numbers only 


When the PROXY USER: prompt appears, enter the user name for Proxy 
authentication. If authentication is not enabled at the Proxy level, leave the entry 
field blank. Press ENTER to continue. 


Supported Characters: Lower case letters, upper case letters, numbers, and these 
special characters: _-\@. (including dot). 


When the PROXY PASSW prompt appears, enter the password for Proxy 
authentication. If authentication is not enabled at the Proxy level, leave the entry 
field blank. Press ENTER to continue. 


Supported Characters: Lower case letters, upper case letters, numbers, and these 
special characters: _-\V|~!?@#$%* &*+=(){}[]<>:;",. (including dot). 


When the REALLY ENABLE PROXY? prompt appears, press ENTER to continue. Or 
press the Up arrow two times to quit this procedure and return to the 
SETUP NETWORK menu option. 


Review the confirmation messages. The ENABLING PROXY SUPPORT message 
appears followed by other messages while the Scanner Appliance attempts to 
make a connection to the Qualys Cloud Platform using the new configuration. 


Upon success the SCANNER APPLIANCE NAME-IP ADDRESS message appears and 
the configured proxy is now confirmed working and being used. 
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Interface - Enable Proxy 


The Scanner Appliance user interface to enable Proxy support is shown below. 
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Figure 2-7. User Interface for Enable Proxy 


Want to update proxy setting? 


Once a Proxy configuration is enabled, the Proxy settings are stored on the Scanner 
Appliance. You can change or disable these settings at any time. 


To change Proxy parameters, follow these steps: 
1 Goto the SETUP NETWORK menu option. 


2 Press the Down arrow until the CHANGE PROXY PARAMS menu option appears. 
Then press ENTER to continue. 
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Follow the prompts and messages in the Scanner Appliance interface to change 
the existing Proxy parameters. Existing parameters are displayed in each screen. 
Change and confirm each parameter. If a parameter has not changed, press 
ENTER to view the next parameter. 


When the REALLY ENABLE PROXY? prompt appears, press ENTER to continue. Or 
press the Up arrow two times to quit this procedure and return to the 
SETUP NETWORK menu option. 


Review the confirmation messages. The ENABLING PROXY SUPPORT message 
appears followed by others. 


To disable Proxy parameters, follow these steps: 


1 
2 


Go to the SETUP NETWORK menu option. 


Press the Down arrow until the DISABLE PROXY menu option appears. Then press 
ENTER to continue. 


When the REALLY DISABLE PROXY? prompt appears, press ENTER to continue. 
Or press the Up arrow two times to quit this procedure and return to the 
SETUP NETWORK menu option. 


Review the confirmation messages. 
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Interface - Change Proxy Parameters 
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Figure 2-8. User Interface for Change Proxy Parameters 


Confirm the configuration 


When you see SCANNER APPLIANCE NAME-IP ADDRESS this means you are ready to start 
scanning. This message appears if the Scanner Appliance made a successful connection to 
the Qualys Cloud Platform using the new configuration. 


The activation code will appear on the screen if the Appliance has not been activated. See 
Step 3 in the Quick Start and follow the instructions to activate the Scanner Appliance. 


An appliance configuration error appears if the Scanner Appliance failed to make a 
connection to the Qualys Cloud Platform. An error may occur because the Proxy 
parameters you entered are incorrect, or they do not match the Proxy configuration on 
your network. See Troubleshooting for help with resolving this issue. 
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Split Network Configuration 


Split network configuration is supported only in IPv4+v6 mode (the default). It is not 
supported in IPv6-only mode. 


The Qualys Scanner Appliance provides two network traffic configurations: Standard and 
Split. The Standard configuration is enabled by default. You can choose to enable the Split 
network configuration. For a physical appliance, you'll do this using menu options on the 
SETUP NETWORK menu. 


In the Standard network configuration, the LAN interface or LAN RJ45 Ethernet connector 
(for physical appliances) services scanning traffic and all management traffic (software 
updates, health checks, scan data upload) to the Qualys Cloud Platform over the Internet. 


Corporate Intranet 


Intranet Scanner 


E 
LAN 
e, Internet 


vy 
= a di 


Figure 2-9. Standard network traffic configuration (default) 


The Split network configuration allows users to split the scanning traffic from the 
management traffic. The WAN interface by default is only used to communicate with the 
Qualys Cloud Platform for Scanner Appliance management traffic like scan/map job 
pickup, scan/map data upload, software updates and health checks. The LAN interface is 
used for scanning traffic. This configuration enables customers to use Scanner Appliances 
to scan networks that do not have direct Internet access. Split network configuration also 
keeps scanned data and internal targets secure by isolating internal LAN traffic from 
Internet traffic by using the WAN interface. Once configured, no internal traffic is routed 
or bridged to the WAN interface and no management traffic is routed or bridged to the 
LAN interface. 
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Figure 2-10. Split network traffic configuration 


Note — LAN is expected to be used for all internal/scan traffic. In Split network 
configuration, WAN has special limited routes required for platform connections only. If 
WAN is needed to be used for scanning, then a static route is needed via WAN interface to 
the scan target host or network range. 


The Scanner Appliance implements logical separation of scanning traffic and 
management traffic regardless of whether you configure the Standard or Split option. 


A few things to consider 


Please review these tips and best practices before you configure Split network 
configuration. 


e Check to be sure that network connection to both the LAN and WAN interfaces 
have been set up properly. 


e The Scanner Appliance must be configured with DHCP or a static IP address on the 
LAN interface first. 


e Donot configure the LAN and WAN interfaces on the same subnet. This type of 
configuration is not supported. 


Tell me the steps 


Enable DHCP on the WAN Interface 
To configure the WAN interface with DHCP, follow these steps: 


1 Select SETUP NETWORK, press the Down arrow until the ENABLE WAN INTERFACE 
menu option appears. Then press ENTER to continue. 


2 Gotothe ENABLE DHCP ON WAN menu option and press ENTER to continue. 


3 When the REALLY ENABLE DHCP ON WAN? prompt appears, press ENTER to 
continue. Or press the Up arrow two times to quit this procedure and return to the 
SETUP NETWORK menu option. 
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Review the confirmation message. When the SCANNER APPLIANCE NAME-IP 
ADDRESS appears you are ready to start scanning. If another message appears you 
need to complete the Quick Start or resolve the error indicated. 


Enable Static IP on the WAN Interface 
To configure the WAN interface with a static IP address, follow these steps: 


1 


10 


Select SETUP NETWORK, press the Down arrow until the ENABLE WAN INTERFACE 
menu option appears. Then press ENTER to continue. 


Go to the ENABLE STATIC IP ON WAN menu option and press ENTER to continue. 


When the CFG WAN STATIC NETWORK PARAMS? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 


When the WAN IP ADDR prompt appears, enter the static IP address, and then 
press ENTER to continue. 


When the WAN NETMASK prompt appears, use the Up and Down arrows to scroll to 
the desired netmask value. After selecting a netmask value, press ENTER to 
continue. 


When the WAN GATEWAY prompt appears, enter the gateway IP address. Then press 
ENTER to continue. 


When the WAN DNS1 prompt appears, enter the IP address for the primary DNS. 
Then press ENTER to continue. 


When the WAN DNS2 prompt appears, enter the IP address for the secondary DNS. 
This entry is optional. Press ENTER to continue. 


When the REALLY SET WAN STATIC NETWORK? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 


Review the confirmation message. When the SCANNER APPLIANCE NAME-IP 
ADDRESS message appears, you are ready to start scanning. If another message 
appears you need to complete the Quick Start or resolve the error indicated. 
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Figure 2-11. Enable Static IP Address on WAN Interface 
We'll update menu options once you configure settings. Once you configure ENABLE 


STATIC IP ON WAN the option will change to CHANGE STATIC IP ON WAN. Once you 
configure ENABLE DHCP ON WAN the option will appear as RENEW DHCP ON WAN. 
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Ethernet Port Configuration 


The Scanner Appliance uses Ethernet auto negotiation on scanning and management 
ports. Most network devices have auto negotiation enabled. Locked-down port policies 
with auto negotiation disabled, such as forcing speed, duplex, and link capabilities, are 
outdated. This is due to the maturity of the auto negotiation technology as well as the rate 
of adoption by product vendors and consumers over many years. 


In the rare and unusual case where auto negotiation is disabled, Ethernet port 
configuration on the Scanner Appliance is necessary to ensure that link syncing occurs 
between the Scanner Appliance and its link partners. The Ethernet port links on the 
Appliance may be set to full-duplex 1GbaseT, 100baseT or 10baseT, or half-duplex 
100baseT or 10baseT. The LAN and WAN port links (for split network configuration) may 
be set. The port link configuration on the Scanner Appliance must match the same 
configuration on the link partners. For example, if you have 100baseT full-duplex forced 
on devices, the same configuration must be enabled on the Appliance. 


In the absence of auto negotiation, link syncing between link partners may not occur and 
the link may not come up. Consequently, the Scanner Appliance data transmission may 
be slow and there may be high packet loss, leading to unreliable scan results. 


Tell me the steps 
1 Select the SETUP NETWORK menu option 


2 Press the Down arrow to advance through the menu options. When the ETHERNET 
PORT SETTINGS menu option appears, press ENTER. 


3 The LAN PORT LINK option is displayed along with the LAN port link setting in 
effect. Press the Right arrow to advance through the available port link settings. 


= 


Tips - Use the Left arrow to advance through the settings in reverse order. To quit 
this procedure and return to SETUP NETWORK, press the Up arrow two times. 


Setting Description 

AUTO Auto negotiation 

1GbaseT/Full LGbaseT (1 gigabit) full-duplex data transmission 
100baseT/Full LOObaseT full-duplex data transmission 
100baseT/Half LOObaseT half-duplex data transmission 
10baseT/Full LObaseT full-duplex data transmission 
10baseT/Half LObaseT half-duplex data transmission 


4 When the desired LAN port link setting is displayed, press ENTER to store the 
confirm the configuration setting. 
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5 When the REALLY SET LAN TO «value» prompt appears, press ENTER to store 
the configuration setting. Go to Step 9 unless WAN port configuration is necessary 
for split network configuration. 


Split Network Configuration: When the Scanner Appliance has a split network 
configuration, you have the option to configure the WAN port link setting. To do 
this, follow the steps below. 


6 Press the Down arrow one time. The WAN PORT LINK option is displayed along 
with the WAN port link setting in effect. 


7 Press the Right arrow to advance through the available port link settings. 


Tips - Use the Left arrow to advance through the settings in reverse order. To quit 
this procedure and return to SETUP NETWORK, press the Up arrow two times. 


Setting Description 
AUTO Auto negotiation 
1GbaseT/Full 1GbaseT (1 gigabit) full-duplex data transmission 
100baseT/Full 100baseT full-duplex data transmission 
100baseT/Half 100baseT half-duplex data transmission 
10baseT/Full 10baseT full-duplex data transmission 
10baseT/Half 10baseT half-duplex data transmission 

8 When the desired WAN port link setting is displayed, press ENTER to confirm the 


configuration setting. 


9 When the REALLY SET WAN TO «value» prompt appears, press ENTER to store 
the configuration setting. 


10 Return to SETUP NETWORK. 


A change to an Ethernet port setting takes effect right away. 
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Changing the Network Configuration 


When the Scanner Appliance has successfully connected to the network, the Appliance 
stores the network configuration settings. These settings will appear as default 
parameters in the Scanner Appliance user interface. You can make updates to the 
network configuration at any time using the Scanner Appliance interface. 


For example, to change from DHCP on the LAN interface to a static IP address on the LAN 
interface, go to the SETUP NETWORK menu option and then press ENTER. Press the Down 
arrow until the ENABLE STATIC IP ON LAN menu option appears. Follow the prompts 
and enter the static IP configuration. 


Some network configuration settings have confirmation prompts. Be sure to confirm new 
configuration settings at these prompts. For example, if you are updating from DHCP on 
the LAN interface to a static IP on the LAN interface, enter the appropriate configuration 
settings following the prompts. At the REALLY SET LAN STATIC NETWORK? prompt, press 
ENTER to confirm the change. 


Want to reset the network configuration to the factory default? See Reset All Network 
Settings. 


When a scan is in progress at the time of the configuration change, the scan task is 
canceled and the message CANCELING THE ONGOING SCAN appears in the Scanner 
Appliance interface. This message is a reminder that a scan in progress will not complete, 
although partial scan results may be available. To avoid this situation check the “scan in 
progress” indicator (S1 LED) on the front panel prior to making changes to network 
settings. 


An appliance configuration error indicates that the Scanner Appliance was not able to 
make a connection to the Qualys platform using the new appliance configuration. See 
Troubleshooting for help with resolving the issue. 


45 


Scanner Appliance Tour 
Enable IPv6-only Mode 


Enable IPv6-only Mode 


When you deploy a scanner appliance, it works in IPv4+v6 mode by default. You have the 
option to enable IPv6-only mode. When you enable IPv6-only mode, all communications 

will use IPv6 addresses instead of IPv4 addresses, and you'll see additional menu options 
in the LCD display for IPv6 network and proxy configurations. 

Step 1 - Reset to IPv6-only mode 


The first step you'll need to take is to reset the network configuration on the appliance to 
use IPv6-only mode. Follow these steps: 


1 Gotothe SETUP NETWORK menu option and press ENTER. 


2 Press the Down arrow to advance through the menu options. When the RESET 
NETWORK SETTINGS menu option appears, press ENTER. 


3 Pressthe Down arrow to advance through the menu options. When the RESET TO 
IPv6 ONLY MODE? menu option appears, press ENTER to continue. Or press the 
Up arrow to quit this procedure and return to the SETUP NETWORK menu. 
Step 2 - Configure network and proxy settings (optional) 


In IPv6-only mode, you have the option to configure the scanner network interface with 
either a manual or automatic IPv6 configuration. IPv6-only mode supports proxy and 
VLAN configurations. Proxy and VLAN configurations work the same whether you're in 
IPv4+v6 mode or IPv6-only mode. See the following sections for details: 


Network Settings in IPv6-only Mode 
Configure VLANs and Static Routes 


Proxy Configuration 


Network Settings in IPv6-only Mode 


When in IPv6-only mode, configure the scanner network interface either with manual or 
automatic IPv6 network configuration. Automatic IPv6 is used by default. 


Configure the scanner with automatic IPv6 


Automatic IPv6 is the default network configuration for a scanner in IPv6-only mode. 
When using automatic IPv6 we'll do IPv6 address assignment through router 
advertisement. 


Even with automatic IPv6 configuration, you have an option to configure manual DNS 
resolvers for your scanner. If configured manually, IPv6 DNS1 and IPv6 DNS2 resolvers will 
take precedence over the DNS resolvers acquired from DHCPv6 and RADVD. 
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Configure the scanner with manual IPv6 


If automatic IPv6 address assignment is not available on your network, you must enable 
the Scanner Appliance with a manual IPv6 address using the ENABLE STATIC IPv6 ON 
LAN? menu option. One of these configurations is required. Note: For a valid network 
configuration, you should configure at least one IPv6 DNS resolver. 


Tell me the steps 


When enabling a manual IPv6 address on the LAN interface, you must enter network 
configuration settings for the Scanner Appliance so that the Appliance can communicate 
with the Qualys Cloud Platform. Note: Anytime you enter an IPv6 address, both expanded 
and compressed formats are supported. 


Follow these steps to enable a manual IPv6 address on the LAN interface: 
1 Gotothe SETUP NETWORK menu option and press ENTER to continue. 


2 Press the Down arrow until the ENABLE STATIC IPv6 ON LAN? menu option 
appears. Then press ENTER to continue. 


3 When the IPv6 ADDR prompt appears, enter the IPv6 IP address, and then press 
ENTER to continue. 


4 When the IPv6 PREFLEN prompt appears, use the Up and Down arrows to scroll 
to the desired prefix length value. After selecting a prefix length, press ENTER to 
continue. 


5 When the IPv6 GW prompt appears, enter the gateway IPv6 address, and then 
press ENTER to continue. 


6 Whenthe IPv6 DNS1 prompt appears, enter the IPv6 address for the primary DNS 
server, and then press ENTER to continue. 


7 When the IPv6 DNS2 prompt appears, enter the IPv6 address for the secondary 
DNS server. This entry is optional. Press ENTER to continue. 


8 When the REALLY SETUP STATIC LAN IPV6? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 


9 Review the confirmation messages. The Scanner Appliance attempts to make a 
connection to the Qualys Cloud Platform using the new configuration. Upon 
Success the SCANNER APPLIANCE NAME-IP ADDRESS message appears and the 
manual IPv6 address is enabled. 
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Renew Auto IPv6 on LAN 


Follow these steps to renew the network configuration on LAN when using automatic IPv6. 


1 
2 


Go to the SETUP NETWORK menu option and press ENTER to continue. 


Press the Down arrow until the RENEW AUTO IPv6 ON LAN? menu option appears. 
Then press ENTER to continue. 


When the Auto v6 ADDR prompt appears, press ENTER to continue. Scroll Left 
and Right to view the complete IPv6 address. The IPv6 address cannot be changed. 


When the Auto PREFLEN prompt appears, press ENTER to continue. The prefix 
length for automatic IPv6 cannot be changed. 


When the Auto GATEWAY prompt appears, enter the gateway IPv6 address, and 
then press ENTER to continue. Scroll Left and Right to view the complete IPv6 
address. 


When the Manual DNS1 prompt appears, enter the IPv6 address for the primary 
DNS server, and then press ENTER to continue. Or press the Up arrow to quit this 
procedure and return to the SETUP NETWORK menu option. 


When the Manual DNS2 prompt appears, enter the IPv6 address for the secondary 
DNS server, and then press ENTER to continue. 


When the REALLY SETUP AUTO LAN IPV6? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu option. 


Switch Between Modes 


Easily switch between IPv4+v6 and IPv6-only network modes. When you're in IPv6-only 
mode, you'll see the option to reset to IPv4-v6 mode. When you're in IPv4+v6 mode, 
you'll see the option to reset to IPv6-only mode. 


Switch from IPv6-only to IPv4+v6 mode 


1 
2 


Go to the SETUP NETWORK menu option and press ENTER. 


Press the Down arrow to advance through the menu options. When the RESET 
NETWORK SETTINGS menu option appears, press ENTER. 


Press the Down arrow to advance through the menu options. When the RESET TO 
IPv4+v6 MODE? menu option appears, press ENTER to continue. Or press the Up 
arrow to quit this procedure and return to the SETUP NETWORK menu. 
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Switch from IPv4+v6 to IPv6-only mode 
1 Goto the SETUP NETWORK menu option and press ENTER. 


2 Press the Down arrow to advance through the menu options. When the RESET 
NETWORK SETTINGS menu option appears, press ENTER. 


3 Pressthe Down arrow to advance through the menu options. When the RESET TO 
IPv6 ONLY MODE? menu option appears, press ENTER to continue. Or press the 
Up arrow to quit this procedure and return to the SETUP NETWORK menu. 


Reset All Network Settings 


You have the option to reset the network configuration to the factory default using the 
RESET NETWORK SETTINGS menu option on the Scanner Appliance user interface. For 
example, you may wish to reset the network configuration for troubleshooting purposes 
when setting up the Scanner Appliance. This is useful if you need to quickly set up the 
Scanner Appliance in a different location. 


Important! When you reset the network configuration the service resets the network 
settings to the factory default. Any existing network settings that were customized by the 
user are removed. These include settings entered using the Scanner Appliance interface 
such as static IP address, Proxy support, the WAN interface configuration, Ethernet port 
configuration, and user/password store. After the reset, you must manually re-enter any 
required network configuration settings using the Scanner Appliance interface and ensure 
that the Scanner Appliance can connect to the Qualys Cloud Platform. Without proper 
configuration, the Scanner Appliance cannot perform scans. 


To reset the network configuration, follow these steps: 
1 Gotothe SETUP NETWORK menu option and press ENTER. 


2 Press the Down arrow to advance through the menu options. When the RESET 
NETWORK SETTINGS menu option appears, press ENTER. 


3 When the REALLY RESET ALL SETTINGS? prompt appears, press ENTER to 
continue. Or press the Up arrow to quit this procedure and return to the 
SETUP NETWORK menu. 


4 Review the confirmation messages. 


5 The Scanner Appliance attempts to connect to the Qualys Cloud Platform using 
the default network configuration. 


- Default network configuration for IPv4-v6 mode: DHCP enabled, no VLAN 
configuration, no Proxy configuration, no split network configuration, and 
Ethernet auto negotiation enabled. 
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- Default network configuration for IPv6-only mode: Automatic IPv6, no Proxy 
configuration, no VLAN configuration. 


In a case where the Scanner Appliance network configuration was customized (not 
identical to the default configuration provided by Qualys) before the reset, further 
network configuration is necessary in order for the Scanner Appliance to connect to the 
Qualys Cloud Platform and perform scans. Need help? See the Quick Start. 
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Troubleshooting 


This appendix describes troubleshooting techniques you can use to respond to errors and 
performance conditions when using the Scanner Appliance. 


How can I test network connectivity? 
Communication Failure message 

Appliance Network Errors 

Network Errors using older appliance model 


Where can I find the model number and serial number? 
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How can | test network connectivity? 


Use a Laptop. It is recommended that you test network connectivity to the Qualys Cloud 
Platform using your laptop (or other device): 


1) Take the laptop to the location where the Scanner Appliance will be installed and 
connect the laptop to the network, using the same network cable and port that will be 
used for the Appliance. 


2) Configure the laptop with the same network configuration that the Scanner Appliance 
will use (IP address, gateway, DNS server, etc.). 


3) If the connection to the Qualys Cloud Platform must pass through a proxy server, 
configure the laptop’s web browser with proxy information. 


4) Open a browser and try to log into your Qualys account. You'll see the Qualys 
Log In page after a successful connection is made to the Qualys Cloud Platform. 


Test DNS Name Resolution. You can test DNS name resolution from any machine 
connected to the same network as your Scanner Appliance. If DNS name resolution is 
working properly, server information is returned including the server name and IP 
address. (Note that “nslookup” is not available on all systems.) 


Communication Failure message 


You'll see a COMMUNICATION FAILURE message if there is a network communications 
breakdown between the Scanner Appliance and the Qualys Cloud Platform. 


Why does it happen? 


The communication failure may be due to one of these reasons: the network cable was 
unplugged from the Scanner Appliance, the local network goes down, or any of the 
network devices between the Scanner Appliance and the Qualys Cloud Platform goes 
down. 


When does the message appear? 


f there are no scans running on the Appliance - The next time the Appliance sends a 
polling request to the Qualys Cloud Platform, the polling request fails, and then the 
COMMUNICATION FAILURE message appears. 


f there are scans running on the Appliance - The COMMUNICATION FAILURE message 
appears after the running scans time out. Usually the S1 LED turns off after the scans 
time out. If this message appears, it is recommended that you use the Qualys user 
interface to cancel any running scans and restart them to ensure that results are 
accurate. 
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How do | know the issue is resolved? 


After the root cause is resolved, you'll see the COMMUNICATION FAILURE message until the 
next time the Appliance makes a successful polling request to the Qualys Cloud Platform. 
Then you'll see the Appliance's IP address - friendly name and you can start scanning 
using your Appliance. 


Note - The COMMUNICATION FAILURE message may not disappear right away. There may 
be a lag time after the network is restored and before the Appliance is back online, 
depending on when the next polling request is scheduled. Additional time is necessary for 
communications to be processed by a Proxy server if the Appliance has a Proxy 
configuration. 


Appliance Network Errors 


An appliance network error indicates the Scanner Appliance attempted to connect to the 
Qualys Cloud Platform and failed. 


Important! The Scanner Appliance is not functional until the error is resolved. Make sure 
to resolve the error. 


Error Solution 
LAN/WAN Errors 
no CARRIER on LAN interface This error appears when attempting to configure proxy or 


personalization while the LAN network cable/port is 
disconnected. Check that the LAN port is connected. 


no CARRIER on WAN interface This error appears when attempting to configure proxy or 
personalization while the WAN network cable/port is 
disconnected. Check that the WAN port is connected. 


LAN has no IPv4 address Check that the LAN cable/port is connected. If configuring 
LAN for DHCP-IP assignment, make sure the DHCP server is 
accessible and functional. 


WAN has no IPv4 address Check that the WAN cable/port is connected. If configuring 
WAN for DHCP-IP assignment, make sure the DHCP server is 
accessible and functional. 


LAN has no DNS servers Check that the LAN interface has valid DNS servers 
configured. 


WAN has no DNS servers Check that the WAN interface has valid DNS servers 
configured. 


LAN DNS can't resolve QG URL Ensure the LAN's configured DNS servers can resolve the 
Qualys Platform URL. See www.qualys.com/platform- 
identification/ for platform URLs. 
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Error 


Solution 


WAN DNS can't resolve QG URL 


Ensure the WAN's configured DNS servers can resolve the 
Qualys Platform URL. See www.qualys.com/platform- 
identification/ for platform URLs. 


Invalid LAN IP configuration 


Ensure a valid IP address is assigned to the LAN interface. 


Invalid WAN IP configuration 


Ensure a valid IP address is assigned to the WAN interface. 


LAN DNS can't resolve proxy 


Ensure LAN DNS server(s) can resolve the scanner's 
configured proxy hostname. 


WAN DNS can't resolve proxy 


Ensure WAN DNS server(s) can resolve the scanner's 
configured proxy hostname. 


LAN DHCP lease has no gateway 


Ensure DHCP server is assigning a valid gateway for LAN 
interface. 


WAN DHCP lease has no gateway 


Ensure DHCP server is assigning a valid gateway for WAN 
interface. 


Duplicate LAN and WAN config 


LAN and WAN must be on different subnets. 


LAN DNS server not reachable 


Ensure LAN interface has network connectivity to its 
configured DNS servers. 


WAN DNS server not reachable 


Ensure WAN interface has network connectivity to its 
configured DNS servers. 


LAN and WAN same gateway 


LAN and WAN must be configured with different subnets 
and gateway addresses. 


Duplicate IP detected 


Ensure LAN/WAN is configured with an IP address that is not 
already in use by another host on the network. 


Proxy Errors 


nvalid proxy IP 


Ensure proxy configuration on the scanner is configured 
with a valid IP address for the proxy. 


nvalid proxy auth config 


Ensure proxy configuration on the scanner is configured 
with valid proxy username and password. 


unexpected proxy P/403 


Ensure configured proxy user on the scanner has 
authorization to connect to the Qualys Platform. 


unexpected proxy P/407 


Ensure the scanner is configured with valid proxy username 
and password. 


unexpected proxy HTTP/503 


Ensure the proxy server can connect to the Qualys Platform. 
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Solution 


Qualys Platform Connectivity Errors 


Error connect to server (07) 


With Proxy Configuration: 

Ensure proxy configuration on the scanner is configured 
with valid host and port. Ensure the proxy port is accessible 
from the scanner’s LAN or WAN interface. 


Without Proxy Configuration: 

Ensure the scanner's LAN (single-network) or WAN (split- 
network) interface can connect to the Qualys Platform and 
is not blocked by any firewall rules. 


Timeout was reached (28) 


With Proxy Configuration: 
Ensure the proxy can connect to the Qualys Platform within 
30 seconds and is not blocked by any firewall rules. 


Without Proxy Configuration: 

Ensure the scanner's LAN (single-network) or WAN (split- 
network) interface can connect to the Qualys Platform 
within 30 seconds and is not blocked by any firewall rules. 


Failed sending peer data (55) 


With Proxy Configuration: 
Failure while sending network data to proxy. Ensure the 
scanner can communicate with the configured proxy server. 


Without Proxy Configuration: 

Failure while sending network data. Ensure the scanner's 
LAN (single-network) or WAN (split-network) interface can 
connect to the Qualys Platform and is not blocked by any 
firewall rules or network access control devices. 


Failed receiving peer data (56) 


With Proxy Configuration: 
Failure while receiving network data from proxy. Ensure the 
scanner can communicate with the configured proxy server. 


Without Proxy Configuration: 

Failure while receiving network data. Ensure the scanner's 
LAN (single-network) or WAN (split-network) interface can 
connect to the Qualys Platform and is not blocked by any 
firewall rules or network access control devices. 


SSL peer cert was not OK 


This issue may occur when there is a proxy or intercepting 
device interfering with the certificate exchange process 
between the scanner and Qualys Platform. Please contact 
Qualys Support. 


Unexpected QG P/401 Please report this error to Qualys Support and include all 
configuration details. 
Unexpected QG P/500 Please report this error to Qualys Support and include all 


configuration details. 
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Error Solution 

This scan_id does not exist The scanner is not registered with Qualys. Please contact 
Qualys Support. 

This Scanner is disabled Please report this error to Qualys Support. 

Account expired Please report this error to Qualys Support. 


Filesystem Mount Errors 


EFS fsck fatal errors Please report this error to Qualys Support. 


EFS mount fatal error Please report this error to Qualys Support. 


For more on troubleshooting, please visit Scanner Appliance Troubleshooting and FAQs. 


Network Errors using older appliance model 


Have an older appliance model? Errors are reported differently using older appliance 
models. You might want to check out our Quick Start Guide (prior version) 


https://www.qualys.com/docs/qualys-scanner-appliance-quick-start-guide-3120-a1.pdf 


Important! The Scanner Appliance is not functional until the error is resolved. 


Please refer to the description provided to help you resolve the issue. If you still need help, 
please identify the error code when you contact Qualys Support. 


Error Description 

E00 Internal error (NTLM Proxy error) 

E01 

E02 Internal error (Proxy error) 

E03 Proxy configuration error 

E04 No connectivity after the Proxy was disabled 

E05 DNS lookup of the Qualys server failed (maybe network 
connectivity problem) 

E06 Cannot reach the Qualys server via HTTPS 

E07 Invalid LAN IP address or LAN gateway address 

E08 Invalid WAN IP address or WAN gateway address 

E09 LAN IP address or LAN gateway address cannot be 127.0.0.1 

E10 Could not configure the LAN interface 

E11 WAN IP address or WAN gateway address cannot be 
127.0.0.1 
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Error Description 
E12 Could not configure the WAN interface 
E13 DNS lookup of the Qualys server failed due to a network 


connectivity problem 


E14 DNS lookup of the Qualys server failed during scanner 
activation due to a network connectivity problem 


More general error codes may be overwritten by more specific ones. For example, the 
appliance may return the error code E04 (No connectivity after the Proxy was disabled). 
After trying to connect for a while, the error code may be overwritten by E13 (DNS lookup 
of the Qualys server failed). When troubleshooting the error, it's useful to be at the 
appliance to watch these error codes scroll by. 


Where can | find the model number and serial number? 


You'll find the model number and serial number for your scanner appliance on a sticker 
on the bottom of the appliance. 


@ Qualys, Inc. 


919 E. Hillsdale Blvd., 4'^ Floor 
Foster City, CA 94404 USA 


Qualys. Support Hotline: +1(866) 801-6161 
Qualys? Scanner Appliance iit 
Moped TURAE UELLE 
Serial Number: 
Il AU MNA 
LAN Port C 39991) 19343 
MAC Address AIMAALTTETTTTEE LUE NL 
WÁN Bor 0C9D92 
MAC Address NULLA UU PUT AU 
0C9D92 
FCC Part 15 Class A 
OF cE 
LISTED 
RoHS 
X Fel Hi id 
Power (E ffi); 100-240V~, 50-60Hz, 4-2A Made in USA 
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Appendix A - Product Specifications 


Configuration 

CPU Intel Xeon® Quad-Core 3.8GHz, 8MB Cache 
Memory 16GB DDR4-2400 

Storage 480GB, M.2 SSD 

Ethernet wo GbE ports 

USB Two USB 2.0 ports + two USB 3.0 ports 


Power Input 


100-240 VAC, 50-60Hz, 4A Single phase 


Power Consumption 


Max: 91W (310 BTU/hr); Typical: 80W (273 BTU/hr) 


Dimension 1.73 (H) x 17 (W) x 14 (D) inches 
Weight 11.40 lbs. 
Environment 


Acoustic Noise 


~45 dBA acoustic noise level at 23°C 


Operating Conditions 


0°C to 35°C, from 0 to 5,000 feet; 20% to 90% RH 


Storage Conditions 


-10°C to 70°C; 10% to 85% R.H. (non-condensing) 


Operating Vibration 


0.3 Grms, 10 to 500 Hz, 5 minutes per axis 


In-Package Shock 


In accordance with ISTA 2A 


Regulatory UL (conforms to UL 60950-1/CSA C22.2 No. 60950/EN 
60950-1, 2nd ed. 

EMC FCC Part 15 Class A/ICES-003/EN 55032/EN 55024, 
CISPR 32 

Environmental RoHS 


Other certifications 


Per specific requirements 
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Appendix B - Software Credits 


Portions of the software embedded in the Qualys Scanner Appliance were 
developed by third parties and are governed by the terms and conditions 
detailed in the following Qualys document 


Qualys Scanner Appliance Software Credits 
https://www.qualys.com/docs/qualys-software-credits-scanner-appliance.pdf 
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Appendix C - Safety Notices 


Elevated Operating Ambient — The ambient temperature of an operating rack 
environment will be greater than the room's ambient temperature. The unit must be 
installed in a rack where its operating ambient temperature does not exceed the unit's 
maximum ambient temperature. 


Reduced Air Flow — The unit must be installed in a rack which enables adequate air flow 
for the proper cooling of the unit. 


Adequate Power — The rack must be set up to ensure that an appropriate level and 
amount of power is available to the unit. The overall connection of the rack equipment to 
the supply circuit and the effect that overloading the supply circuit might have on 
overcurrent protection and supply wiring should also be considered. 


Reliable Grounding — Reliable grounding of rack equipment must be maintained. 
Particular attention should be given to supply connections other than direct connections 
to the branch circuit (for example, use of power strips). 


Mechanical Loading — The unit should be installed in a rack in a manner that does not 
create a hazardous condition due to uneven mechanical overloading. 

Cautionary Notices 

The socket-outlet shall be installed near the equipment and shall be easily accessible. 


Le socle de prise de courant doit étré installé à proximité du matériel et doit étre aisément 
accessible. 


CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. 
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. 


ATTENTION: IL Y A RISQUE D'EXPLOSION SI LA BATTERIE EST REMPLACÉE PAR UNE 
BATTERIE DE TYPE INCORRECT. METTRE AU REBUT LES BATTERIES USAGÉES 
CONFORMÉMENT AUX INSTRUCTIONS. 


WARNING 


Hazardous moving parts 
Keep away from moving fan blades 
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